The Cisco CallManager uses a Lightweight Directory Access Protocol
(LDAP) to store user information (authentication and authorization information)
for CallManager applications. This directory (the DC directory) works in
conjunction with Cisco CallManager.

When you install the directory plugin, you have the choice to integrate
the current directory with one of these servers:

Microsoft Active Directory (AD) server

Netscape Directory server

After you complete the LDAP configuration, you can use the Corporate
Directory service on a Cisco IP phone, in order to search for users in the
corporate directory.

The Cisco Customer Directory Configuration Plugin installs only on
servers running Cisco CallManager 3.x and 4.x. Start with the publisher, and
install the plugin on all Cisco CallManager servers in the cluster. Cisco
recommends that you have either one Netscape Directory server or one AD server
for each Cisco CallManager cluster. This document discusses the integration
process for AD servers.

Ensure that you meet these requirements before you attempt this
configuration:

Knowledge of AD schema management

Knowledge of how to edit Windows 2000 server registry
values

Caution: If you make a mistake with regard to changes to the AD schema or in
edits to the registry, you can cause a system outage. It can take hours to
recover from such a problem. Only experienced system administrators must make
these changes to an active system.

The information in this document was created from the devices in a
specific lab environment. All of the devices used in this document started with
a cleared (default) configuration. If your network is live, make sure that you
understand the potential impact of any command.

Before you can install and configure the AD plugin on the Cisco
CallManager server, you must establish an Organizational Unit (OU) named
Cisco in the AD directory. This is where all Cisco attributes
are to be stored, including profiles, system profiles, devices, and
extensions.

Click the Run this program from its current
location radio button and click
OK.

Note: If you receive a warning that an Authenticode signature was not
found, click Yes to continue.

A prompt could ask you to verify whether the host server acts as
the publisher or subscriber. If you have already integrated Cisco CallManager
with the Netscape Directory or AD, the plugin does not display this prompt. If
the host server acts as a subscriber, a prompt asks you for authentication to
the publisher. Enter the Windows 2000 username and password with local
administrative rights on the publisher.

Note: Cisco CallManager requires authentication to the publisher, and
certain fields automatically populate during the configuration process. You
must enter the publisher password during the subscriber installation, or the
plugin automatically terminates the installation.

Note: The plugin also tries to retrieve the userids and encrypted
passwords of the Cisco CallManager system users (CCMSysUsers, CCMAdministrators
and IPMASysUsers) from the publisher registry. If the password field for these
system users is empty in the registry, the plugin cannot retrieve these userids
and passwords. In this case, a warning message displays with a field where you
can set the passwords on the publisher. If you click OK before
you enter the system user passwords, a second warning message displays that
indicates the plugin cannot retrieve the password. The installation continues,
but you must set these passwords after the installation. Use the procedure that
is described in
Enabling
Cisco IP Services.

Check Configure Active Directory Server and click
Next to continue.

Note: If the plugin was installed previously, a different dialog box
appears. In this box, check Upgrade Active Directory
Configuration and click Next to continue.

A dialog box appears that asks you to select a setup type for AD,
either Express or Custom. Cisco recommends
that you check the Express option. Click Next
to continue.

Note: If you check Express, the plugin updates the
schema, configures AD, and enables Cisco CallManager integration with AD.
However, you can select the Custom option if you have multiple
Cisco CallManagers. If you select the Custom option, you only
need to update the schema once on the AD server.

In the Customer Information dialog box, confirm the AD server Host
Name and Port Number and click Next to
continue.

Cisco CallManager pre-populates the Host Name and Port Number
fields if the values exist in the registry. If not, you must enter the host
name (or IP address) where you installed AD and the port number on which AD
listens for LDAP requests (by default, port 389).

The error shown in this example occurs if you enter the wrong host
name or wrong port number.

If this happens, click OK, then correct the Host
Name or Port Number in the Customer Information dialog box. Click
Next to continue.

A second Customer Information dialog box displays more
configuration options. Some of the configuration option fields display the
correct data automatically, but all fields must be
completed.

See this table for more information about the value that each
field requires. When the options in this dialog box are configured, click
Next to continue.

Field

Recommended Action

Directory Administrator DN

Enter the AD Administrator Distinguished Name (DN),
which—along with the AD Administrator password—is required for binding to the
LDAP directory and in order to add Cisco-specific schema and Cisco-specific
values.
The entry is typically in this format:

cn=Administrator, cn=Users, dc=mycompany, dc=com

One way of looking at this information is to consider the
information in the form of an e-mail Simple Mail Transfer Protocol (SMTP)
address. In this case, it is
administrator@mycompany.com.
This information must be obtained from the AD server before
you start the installation process.

Note: This information could be populated automatically.

Directory Administrator
Password

Enter the AD password.

Confirm Password

Enter the password again.

Cisco Directory Configuration
DN

Enter the Cisco Directory Configuration DN, which specifies
the DN where the Cisco-dependent schema is created for the Cisco CallManager.
The Cisco Directory Configuration DN is an AD container node where all the
information related to the CallManager application is stored. This node must
exist in the AD or the installation fails. (This is why you created a new OU in
the previous steps.) This is an example:

ou=Cisco, dc=mycompany, dc=com

Note: This information could be populated automatically.

User Search Base

Enter the User Search Base, which stores the AD user
information. The User Search Base is the common denominator of all the
containers where user data is stored. By default, all user data is stored in
the user folder:
If you set up different OUs, you must specify the common
denominator.

Domain Name

Enter the AD Domain Name.

User Search Attribute

Enter the User Search Attribute, which is used in order to
search for the users in the system. This attribute must be populated. By
default, enter SamAccountName.

When the AD plugin setup has enough information to start the
configuration setup, a summary data window appears.

You have the opportunity to review and change the settings before
the files are configured. Click Back to return to the previous
configuration window and make corrections, or click Next in
order to go to file configuration.

Note: If you see this error message, stop.
Do not click OK. The installation will
not complete successfully until you make a change to the registry on the AD
server to resolve this problem. To correct the registry settings, follow the
procedure in the Appendix A: To Change the Registry to
Allow a Schema Update section of this document. Once you make the
appropriate registry changes as described in Appendix A, proceed to Step 12 and
continue with the plugin installation.

Once file configuration starts, a message box sometimes asks
Do you want to use your existing schema files?;
if so, click No.

This message only appears if you have already installed the AD
plugin.

When the setup completes successfully, a dialog box similar to this
one appears:

You must perform the procedure outlined here on the Cisco CallManager
server before you add or search for users through the Cisco CallManager
Administration.

Caution: If you edit the wrong registry key or make a mistake while you edit
the registry, your system could be unusable until you repair the registry. You
must backup your registry before you make any changes. Make sure you know how
to restore the registry from the backup before you continue. An explanation of
how to maintain the Windows 2000 server registry is beyond the scope of this
document. Consult your system documentation for this information.

Choose Start > Run.

Enter regedit in the Open field and click
OK.

Browse to \\HKEY_LOCAL_MACHINE\Software\Cisco Systems,
Inc.\Directory Configuration within the registry.

In the right pane, double-click the DirAccess registry key
(DIRACCESS).

Delete the false registry entry and enter
true as the new registry entry.

You can now add or search for users within the Cisco CallManager
Administration. For information on how to perform these tasks, refer to the
latest version of the
Cisco
CallManager Administration Guide.

Caution: Make certain that you select the User container.
It is very easy to select the wrong container and create a new user. If you
select the wrong container, you are not able to see the user from the Cisco
CallManager User Administration screens.

Enter the First name, Last name, and User logon name of the user
you want to add; then click Next to
continue.

Add a password for the user you want to add and click
Next to continue.

If you want to create a mailbox for that user, click Create
an Exchange mailbox and click Next to
continue.

You are now ready to insert the user into the AD Domain; click
Finish to add the user.

The user now appears in the Users container under Active Directory
Users and Computers.

Log on to the Cisco CallManager server.

Choose User > Global directory and search for
the new user.

The new user name must appear in the search results. If not,
repeat the tasks in this document and verify the steps in each task.

Note: You can also add users from the Cisco CallManager user page, but
you are not able to set a password there. This must be done from the AD
server.

Note: If you are unable to open the User > Global Directory
page, you possibly need to re-run the AD plugin.

If the AD server is not set to 1 for the Schema
Update Allowed registry key, or if the plugin fails to read the registry key, a
dialog box asks you to ensure that the registry entry has been set properly.
Click OK to continue.

Caution: If you edit the wrong registry key or make a mistake while you
edit the registry, your system could be unusable until you repair the registry.
You must backup your registry before you make any changes. Make sure you know
how to restore the registry from the backup before you continue. An explanation
of how to maintain the Windows 2000 server registry is beyond the scope of this
document. Consult your system documentation for this information.

Log on to the AD server with an account that has administrative
privileges.

Choose Start > Run.

Enter regedit in the Open field and click
OK.

Navigate to the key indicated in the image provided
(HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters\Schema
Update Allowed) and verify that the value is set to
1.

If it is set to 0, you must change the value to
1.

If this setting is not present (Schema Update
Allowed), add the DWORD key manually and set its
Value data field to 1.

To add the new DWORD value, follow this procedure:

Choose Edit > New > DWORD
value.

Enter Schema Update Allowed in the highlighted
Name field and press the Enter key.